当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090470

漏洞标题:office word 07,10任意代码执行(有条件限制)

相关厂商:Microsoft

漏洞作者: telnetgmike

提交时间:2015-01-28 12:13

修复时间:2015-04-28 12:14

公开时间:2015-04-28 12:14

漏洞类型:远程代码执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-28: 细节已通知厂商并且等待厂商处理中
2015-02-02: 厂商已经确认,细节仅向厂商公开
2015-02-05: 细节向第三方安全合作伙伴开放
2015-03-29: 细节向核心白帽子及相关领域专家公开
2015-04-08: 细节向普通白帽子公开
2015-04-18: 细节向实习白帽子公开
2015-04-28: 细节向公众公开

简要描述:

office word对tasksymbol控件的一些处理(如点击,保存等)操作,将导致一个任意代码执行的问题,攻击者可以执行任意代码来控制主机

详细说明:

office word对tasksymbol控件的一些处理(如点击,保存等)操作,将导致一个任意代码执行的问题。该poc在xpsp3和win7打完最新系统和office补丁的系统上测试成功。

STACK_DEPTH:59
STACK_FRAME:Unknown
STACK_FRAME:mmcndmgr!ATL::CComContainedObject<CTaskSymbol>::QueryInterface+0x17
STACK_FRAME:ole32!OleIsRunning+0x25
STACK_FRAME:wwlib!wdCommandDispatch+0x1a74f5
STACK_FRAME:wwlib!DllCanUnloadNow+0x2af90a
STACK_FRAME:wwlib!FMain+0x3bf53
STACK_FRAME:wwlib!FMain+0x311ad
STACK_FRAME:wwlib!FMain+0x7d849
STACK_FRAME:wwlib!DllGetLCID+0x364f4
STACK_FRAME:wwlib!wdCommandDispatch+0x8332a
STACK_FRAME:wwlib!DllCanUnloadNow+0x363d18
STACK_FRAME:wwlib!DllGetLCID+0x3c759
STACK_FRAME:wwlib!DllGetLCID+0x33c3c
STACK_FRAME:wwlib!DllGetLCID+0x3125b
STACK_FRAME:wwlib!wdCommandDispatch+0xfb030
STACK_FRAME:wwlib!wdCommandDispatch+0x2ddb82
STACK_FRAME:wwlib!FMain+0xd2029
STACK_FRAME:wwlib!FMain+0xe8b16
STACK_FRAME:wwlib!FMain+0xe8449
STACK_FRAME:wwlib!FMain+0xe8383
STACK_FRAME:wwlib!FMain+0xe7eeb
STACK_FRAME:wwlib!FMain+0xe7de9
STACK_FRAME:wwlib!DllGetClassObject+0x6f122
STACK_FRAME:wwlib!FMain+0xe6125
STACK_FRAME:wwlib!FMain+0xe5ddb
STACK_FRAME:wwlib!FMain+0xe5cd3
STACK_FRAME:VBE6!lblEX_ThisVCallHresult+0x22
STACK_FRAME:OLEAUT32!DispCallFunc+0x16a
STACK_FRAME:VBE6!EpiInvokeMethod+0x2e3
STACK_FRAME:Unknown
STACK_FRAME:VBE6!BASIC_DISPINTERFACE_Invoke+0x91
STACK_FRAME:VBE6!WRAPPER_EVENT_SINK::Invoke+0x8e
STACK_FRAME:wwlib!FMain+0x1012a8
STACK_FRAME:wwlib!FMain+0x1011b3
STACK_FRAME:wwlib!FMain+0x101467
STACK_FRAME:wwlib!FMain+0x1013dd
STACK_FRAME:wwlib!FMain+0x100ff8
STACK_FRAME:wwlib!FMain+0x10137b
STACK_FRAME:wwlib!FMain+0x7c74f
STACK_FRAME:wwlib!FMain+0x7c6b1
STACK_FRAME:wwlib!FMain+0x530e2
STACK_FRAME:wwlib!DllGetLCID+0x185b2
STACK_FRAME:wwlib!DllGetLCID+0x10863
STACK_FRAME:wwlib!DllGetLCID+0x10494
STACK_FRAME:wwlib!DllGetLCID+0x10101
STACK_FRAME:wwlib!DllGetLCID+0xffac
STACK_FRAME:wwlib!DllGetLCID+0xfe30
STACK_FRAME:wwlib!FMain+0xd2029
STACK_FRAME:wwlib!wdCommandDispatch+0x3f798b
STACK_FRAME:wwlib!wdCommandDispatch+0x3f7f06
STACK_FRAME:wwlib!DllCanUnloadNow+0x3ba5b2
STACK_FRAME:wwlib!DllCanUnloadNow+0x3ba9e4
STACK_FRAME:wwlib!FMain+0xd4b3f
STACK_FRAME:wwlib!FMain+0xdf6fb
STACK_FRAME:wwlib!FMain+0xdc6b3
STACK_FRAME:wwlib!FMain+0x6ac
STACK_FRAME:WINWORD+0x15fb
STACK_FRAME:WINWORD+0x156d
STACK_FRAME:kernel32!BaseProcessStart+0x23
INSTRUCTION_ADDRESS:0x0000000010110d5f
INVOKING_STACK_FRAME:1
DESCRIPTION:Possible Stack Corruption
SHORT_DESCRIPTION:PossibleStackCorruption
CLASSIFICATION:UNKNOWN
BUG_TITLE:Possible Stack Corruption starting at Unknown Symbol @ 0x0000000010110d5f called from mmcndmgr!ATL::CComContainedObject<CTaskSymbol>::QueryInterface+0x0000000000000017 (Hash=0x0914394d.0xb948749e)
EXPLANATION:The stack trace contains one or more locations for which no symbol or module could be found.

漏洞证明:

使用的是0xcc填充payload区域后:

EXCEPTION_FAULTING_ADDRESS:0x10110d5f
EXCEPTION_CODE:0x80000003
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_BREAKPOINT
FAULTING_INSTRUCTION:10110d5f int 3
BASIC_BLOCK_INSTRUCTION_COUNT:1
BASIC_BLOCK_INSTRUCTION:10110d5f int 3
MAJOR_HASH:0x0914394d
MINOR_HASH:0xb948749e
STACK_DEPTH:59
STACK_FRAME:Unknown
STACK_FRAME:mmcndmgr!ATL::CComContainedObject<CTaskSymbol>::QueryInterface+0x17
STACK_FRAME:ole32!OleIsRunning+0x25

修复方案:

版权声明:转载请注明来源 telnetgmike@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-02-02 08:36

厂商回复:

仍然在进一步分析,商请白帽子提供进一步的样本POC信息.先行确认,但未能直接认定.

最新状态:

暂无

漏洞评价:

评论

  1. 2015-01-28 12:16 | p4ssw0rd ( 普通白帽子 | Rank:306 漏洞数:92 | 不作死就不会死)

    good job

  2. 2015-01-28 12:28 | 蛇精病 ( 路人 | Rank:23 漏洞数:10 | 你连棒棒糖都没有,还谈什么狗屁爱情?)

    火钳刘明

  3. 2015-01-28 12:30 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    需要交互么?

  4. 2015-01-28 12:34 | bitemebitch ( 路人 | Rank:23 漏洞数:5 | 技能树龟速点亮中...)

    火钳流明

  5. 2015-01-28 12:35 | 牧者游民 ( 路人 | Rank:8 漏洞数:2 | 砰砰恰 砰砰恰)

    火钳流明

  6. 2015-01-28 15:34 | F4K3R ( 普通白帽子 | Rank:297 漏洞数:31 | 学习)

    这么叼~

  7. 2015-04-28 12:46 | 圣路西法 ( 路人 | Rank:4 漏洞数:3 | 围观大神ส็็็็็็ ̷̸̨̀͒̏̃ͦ...)

    火钳流明

  8. 2015-04-28 18:55 | 刹那永恒 ( 路人 | Rank:4 漏洞数:2 | 此人很懒很懒非常懒)

    火钳刘明

  9. 2015-04-29 13:03 | 酷帥王子 ( 普通白帽子 | Rank:111 漏洞数:34 | 天朗日清,和风送闲,可叹那俊逸如我顾影自...)

    屌屌的!不错